- Redirect /syncthing to /syncthing/ as the daemon does not work
without a slash at the end.
- Create a separate include file for LDAP authentication
configuration that can be included on other app configurations.
LDAP admin and basic structure setup requires running slapd. Move this
to first-run so we don't have to start slapd during setup. This should
avoid issues when running setup in a chroot.
- Remove extra newlines added to torrc.
- Remove comments added in random places to torrc.
- Enable tor instance during setup.
- Fix restarts to use tor instance.
- Revert change to augeas lens to attempt handling +.
- Add support for hyphens in values to augeas lens.
- Increment module version so setup can run again.
- RTP ports used for voice and video communication can span a wide range
of ports. Some servers seem to restrict the range. However, repro
does not seem to do that. So, open up the full range.
- Update action to not configure jwchat anymore.
- Update action to not disable jwchat apache configuration. Since the
package is no longer installed, this could cause failures.
- Update action to no refer to jwchat in comments.
- Update jwchat-plinth Apache configuration to not include jwchat
anymore. Keep this file name for now instead of renaming it to
jsxc-plinth as this would introduce additional complexity with little
benefit.
- Install package libjs-jsxc instead of jwchat during xmpp setup.
- Create jsxc front page shortcut instead of for jwchat.
- Perform diagnostics on /http-bind/ URL needed for jwchat instead of
/jwchat.
- Update links that launch XMPP web client.
Allow Plinth to manage network connections even when running as 'plinth'
user and not root user. This is done by adding polkit rules that
Network Manager checks
- Add new style Javascript based rules file for newer versions of
polkit (>105). This is not fuly tested.
- Add old style .pkla file for older versions of polkit (<=105).
- Create and list filesystem snapshots. Hide "current" snapshot.
- Allow deleting snapshots, except for default subvolume.
- Allow rollback to a snapshot.
Add a dispatcher script to NetworkManager to configure
B.A.T.M.A.N. Advanced interfaces. This quite a bit hacky at it is
triggered for network connections that have the keyword "BATMAN" in
them. The proper way to implement this is as a core change in
NetworkManager itself (as it lacks plugins). It is done is the hope
that it will garner some more interest in FreedomBox for mesh networks.
Currently, it is possible to create a BATMAN mesh network and shared
existing internet connections on it. Other boxes can then join this
mesh network and use that internet connection.
Known issues:
- Very unintuitive setup process. First create a connection with device
a Wi-Fi device, mode as ad-hoc, with a known frequency and BSSID. The
name of the connection should have contain BATMAN in it. It should
also have IPv4 method as disabled. Second connection should be
created for 'bat0' interface after the first on is successful. It can
be with method 'shared' for sharing internet connection and doing DHCP
requests or 'auto' for aqcuiring IP address from another node in the
mesh network.
- Untested for joining existing mesh networks.
- Requires configuring two network connections and the second one needs
to be manually enabled after the first one is successfully activated.
- Show free space of currently mounted partitions. Should help with
people running out of free space and ending up with non-working
system. In future, this module could emit more visible messages.
- Show and allow expanding root partition to help people who have
written FreedomBox images to higher capacity SD cards. Very selective
and restrictive checks to minimize problems.
- Automated tests to ensure expansion works in non-trivial senarious.
We pretty much only run in systemd environment and I don't see that
changing any time soon. By relying on it, we can reduce some burden.
Remove init script.
Daemonizing is not needed for systemd. Remove code related
daemonization.
Since we are running PAM update script from users action file, it is
appropriate for the PAM configurations that are effected by it to stay
here in Plinth as well.
- Indentation for HTML template consistent with other templates.
- Style 'repro' like the upstream project does in all small case.
- Better describe the functions of a SIP server and organize the actions
to be done by the user.
- Set the menu weight so that it does not clash with an existing module.
- Name the application 'SIP Server' instead of 'SIP Proxy' as that
better describes the capabilities of the repro and is simpler for
users to understand.
- Since SIP is a generic protocol implemented by various servers, the
firewall service must describe the protocol instead of the
application. This is similar to the way firewalld handles
http/https. This also make the service descriptions more acceptable
by upstream.
- Split unencrypted and encrypted services so that one can enabled
without the other (a possibility with SIP).
- Add 5061/UDP for SIP over DTLS and DCCP.
This is the first implementation for obtaining certificates from Let's
Encrypt. Following the features and limitations.
- Requires manual operation.
- Registrations are done anonymously.
- Supports revoking and re-obtaining certificates. Does not have a way
to show if a certficate is already renewed.
- Automatic renewal is not available.
- Details messages in case of errors.
- Has ability to switch to testing mode by using LE's staging servers.
- Sets up Apache configuration for the domain and enables/disables it.
When certificates are not available for a domain, default website
configuration is used. When certificates are available, separate
SSL website configuration for each domain is used.
- Many domain will work with a single IP address with the help of Server
Name Indication (SNI) which is supported by all modern browsers.
- Supports diagnostics on websites.
monkeysphere: Run publish as background task, allow user to cancel.
Small fixes to names module:
- Remove unused ugettext import.
- Change SERVICES to tuple.
- If a domain is not available for a service type, return None instead
of (translated) "Not Available".
- Rename get_services -> get_enabled_services.
Set the default firewall zone. When network connections are configured
outside of FreedomBox/Plinth, they will not be able to serve the Plinth
web interface. This is because all such interfaces will fall in the
default firewall zone and that is, by default, 'public'. On 'public'
zone we don't allow Plinth web interface as this zone is not managed.
Configuration of network connections happen outside for
FreedomBox/Plinth for various reasons:
- Existing network connections before installation of freedombox-setup
- Connections configured in /etc/network/interfaces
- Connections manually configured using nmtui
- Connections created using GUI environments such as GNOME
Rather then clearing out /etc/network/interfaces during setup and
expecting the connections not to be created outside of Plinth, setting
the default firewall zone is a better approach. This default zone
selection fits with the main purpose of FreedomBox to be a router which
is also reflected by the fact that only 'external'
- Authentication using client certificates. Extra password based
authentication for later.
- Auto setup of CA, server and client certificates.
- Provides a .ovpn profile for each user for easy setup.
- Use 4096 bit Diffie-Hellman parameters for better security. If this
takes to much time, reduce it to 2048 or 1024, at least during
debugging.
The name 'Plinth' (cfg.product_name) is not used anymore after my previous
commits.
Reason for the complete removal: I do not think that users should know or have
to care about the internal name of the web interface of the FreedomBox.
